mercurial: changeset 29108:16021d58c5ca

--- a/mercurial/sslutil.py	Wed May 04 23:38:34 2016 -0700
+++ b/mercurial/sslutil.py	Thu May 05 00:32:43 2016 -0700
@@ -261,18 +261,26 @@
 
     # No CAs in config. See if we can load defaults.
     cacerts = _defaultcacerts()
+
+    # We found an alternate CA bundle to use. Load it.
     if cacerts:
         ui.debug('using %s to enable OS X system CA\n' % cacerts)
-    else:
-        if not _canloaddefaultcerts:
-            cacerts = '!'
+        ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
+        kws.update({'ca_certs': cacerts,
+                    'cert_reqs': ssl.CERT_REQUIRED})
+        return kws
 
-    ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
+    # FUTURE this can disappear once wrapsocket() is secure by default.
+    if _canloaddefaultcerts:
+        kws['cert_reqs'] = ssl.CERT_REQUIRED
+        return kws
 
-    if cacerts != '!':
-        kws.update({'ca_certs': cacerts,
-                    'cert_reqs': ssl.CERT_REQUIRED,
-                    })
+    # This is effectively indicating that no CAs can be loaded because
+    # we can't get here if web.cacerts is set or if we can find
+    # CA certs elsewhere. Using a config option (which is later
+    # consulted by validator.__call__ is not very obvious).
+    # FUTURE fix this
+    ui.setconfig('web', 'cacerts', '!', 'defaultcacerts')
     return kws
 
 class validator(object):

author	Gregory Szorc <gregory.szorc@gmail.com>
	Thu, 05 May 2016 00:32:43 -0700
changeset 29108	16021d58c5ca
parent 29107	c8fbfb9163ce
child 29109	e9ce33c642e8